b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                     The Physical Security Risk Assessment\n                          Program Needs Improvement\n\n\n\n                                      September 16, 2013\n\n                              Reference Number: 2013-10-101\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n E-mail Address | TIGTACommunications@tigta.treas.gov\n Website        | http://www.treasury.gov/tigta\n\x0c                                                   HIGHLIGHTS\n\n\nTHE PHYSICAL SECURITY RISK                            These 49 facilities included childcare centers,\nASSESSMENT PROGRAM NEEDS                              parking lots and garages, and storage units that,\nIMPROVEMENT                                           although not occupied by IRS employees, are\n                                                      within or adjacent to facilities housing IRS\n                                                      employees.\nHighlights                                            Completed risk assessments prepared by the\n                                                      IRS identified numerous additional security\nFinal Report issued on                                countermeasure needs at IRS facilities.\nSeptember 16, 2013                                    However, TIGTA found that some\n                                                      countermeasures were not acted upon. The IRS\nHighlights of Reference Number: 2013-10-101           cited resource constraints as a reason that\nto the Internal Revenue Service Chief,                countermeasures were not implemented. For\nAgency-Wide Shared Services.                          example, the IRS did not implement blast\n                                                      mitigation countermeasures at approximately\nIMPACT ON TAXPAYERS                                   191 facilities and has not added additional\nThe IRS\xe2\x80\x99s Physical Security and Emergency             guards or other countermeasures at certain\nPreparedness office is responsible for                Taxpayer Assistance Centers. During site visits\nconducting risk assessments to ensure that IRS        to IRS facilities, TIGTA also found that risk\nfacilities are secure and employees and               assessments did not identify additional\ntaxpayers are safe. TIGTA\xe2\x80\x99s review identified         vulnerabilities. For example, a childcare center\ndeficiencies in the Physical Security Risk            allows direct access to one IRS facility without\nAssessment Program and found that all facilities      the required screening. At another facility, a\ndid not receive risk assessments as required.         local IRS manager chose not to implement\nAs a result, the IRS may have security                countermeasure improvements paid for and\nvulnerabilities that are not identified and           provided to the facility.\naddressed in a timely manner, thereby placing         WHAT TIGTA RECOMMENDED\nIRS employees and taxpayers at risk.\n                                                      TIGTA made seven recommendations to the\nWHY TIGTA DID THE AUDIT                               Director, Physical Security and Emergency\nThis audit was initiated because of the               Preparedness, to address identified\nnumerous threats made against IRS facilities          weaknesses. For example, TIGTA\nand employees. To proactively mitigate these          recommended that the IRS include the\nthreats, the IRS is required to conduct               development of a process to ensure that\ncomprehensive and timely risk assessments to          inventory records contain all relevant information\nidentify and address vulnerabilities in physical      including the dates when risk assessments\nsecurity. The overall objective of this review        should be performed. TIGTA also\nwas to determine whether physical security risk       recommended that the IRS implement\nassessments were conducted as required at all         appropriate security protocols at the facility with\nIRS facilities.                                       the childcare center to screen all visitors\n                                                      entering the grounds and the building according\nWHAT TIGTA FOUND                                      to requirements.\nThe IRS completed 630 risk assessments at IRS         In their response, IRS management agreed with\nfacilities and met its requirement to provide a       the recommendations and plans to implement\nreport summarizing the findings to the IRS            corrective actions to address them. For\nCommissioner in January 2011. However, the            example, the IRS plans to ensure that inventory\nIRS did not complete risk assessments at              records include all relevant information and\n14 facilities. Additionally, the IRS could not        develop a process to ensure that required\nprovide evidence that risk assessments were           countermeasures are in place and functioning at\nperformed for 49 facilities that are the              all Taxpayer Assistance Centers.\nresponsibility of the Federal Protective Service.\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 16, 2013\n\n\n MEMORANDUM FOR CHIEF, AGENCY-WIDE SHARED SERVICES\n\n\n FROM:                       Michael E. McKenney\n                             Acting Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Physical Security Risk Assessment Program\n                             Needs Improvement (Audit # 201210007)\n\n This report presents the results of our review to determine whether physical security risk\n assessments were conducted as required at all Internal Revenue Service (IRS) facilities. Our\n review focused on the risk assessments conducted by the Physical Security and Emergency\n Preparedness office in Calendar Year 2010 to address the IRS Commissioner\xe2\x80\x99s requirement to\n conduct risk assessments at all IRS-occupied facilities to identify measures needed to improve\n employee safety. This review is included in our Fiscal Year 2013 Annual Audit Plan and\n addresses the major management challenge of Security for Taxpayer Data and Employees.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix IX.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. If you have any questions, please contact me or Gregory D. Kutz, Assistant\n Inspector General for Audit (Management Services and Exempt Organizations).\n\x0c                                          The Physical Security Risk Assessment\n                                               Program Needs Improvement\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 4\n          The Physical Security and Emergency Preparedness Office\n          Completed 630 Risk Assessments, but Did Not Perform Risk\n          Assessments on Additional Internal Revenue Service Facilities .................. Page 4\n                    Recommendations 1 through 3:......................................... Page 6\n\n          Risk Assessment Findings Were Not Consistently Acted Upon, and\n          Additional Vulnerabilities Were Identified During Site Visits..................... Page 7\n                    Recommendation 4:........................................................ Page 10\n\n                    Recommendations 5 through 7:......................................... Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 16\n          Appendix V \xe2\x80\x93 Facility Security Level Determination Matrix ...................... Page 17\n          Appendix VI \xe2\x80\x93 Fourteen Internal Revenue Service Buildings That Did\n          Not Receive a Risk Assessment in Calendar Year 2010 .............................. Page 18\n          Appendix VII \xe2\x80\x93 Status of 14 Internal Revenue Service Buildings\n          That Did Not Receive Timely Risk Assessments ......................................... Page 19\n          Appendix VIII \xe2\x80\x93 Fourteen Physical Security and Emergency\n          Preparedness Office Territories .................................................................... Page 20\n          Appendix IX \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ...................... Page 22\n\x0c         The Physical Security Risk Assessment\n              Program Needs Improvement\n\n\n\n\n              Abbreviations\n\nCY     Calendar Year\nFPS    Federal Protective Service\nFSL    Facility Security Level\nGDI    Graphic Database Interface\nIRS    Internal Revenue Service\nISC    Interagency Security Committee\nPSEP   Physical Security and Emergency Preparedness\nTAC    Taxpayer Assistance Center\n\x0c                                     The Physical Security Risk Assessment\n                                          Program Needs Improvement\n\n\n\n\n                                             Background\n\nDue to the nature of the Internal Revenue Service\xe2\x80\x99s (IRS) mission, the organization remains a\ntarget for those who are angry at the tax system or the Government. Threats of violence directed\nat the IRS\xe2\x80\x99s 100,000 employees at more than 600 facilities throughout the country have\nincreased during a time of continued financial hardship.1 In the one-year period between\nOctober 2010 and September 2011, there were more than 1,400 reported threat incidents directed\ntowards IRS employees and infrastructure.\nIn an effort to address the continued threat to IRS employees and facilities, in March 2010, the\nIRS Commissioner initiated a Security Readiness Project which established a task force with a\nmission to determine how to improve the IRS\xe2\x80\x99s security posture and assure employees that they\nare safe in the workplace. One important component of the project included conducting in-depth\nsecurity reviews (risk assessments) of all IRS facilities by December 31, 2010.\nThe Agency-Wide Shared Services\xe2\x80\x99s Physical Security and Emergency Preparedness (PSEP)\noffice is responsible for program management and operations support to ensure that all IRS\nphysical security and emergency preparedness programs are operating in an integrated manner to\nprotect IRS employees, facilities, critical business operations, and assets.\nThe PSEP office\xe2\x80\x99s primary responsibilities are to:\n    \xef\x82\xb7   Ensure the protection of employees, visitors, and property at IRS facilities.\n    \xef\x82\xb7   Ensure the security of IRS physical infrastructure and classified information.\n    \xef\x82\xb7   Ensure that readiness and preparedness activities enhance the IRS\xe2\x80\x99s ability to continue\n        ongoing services to taxpayers.\n    \xef\x82\xb7   Coordinate and execute emergency preparedness and crisis response activities\n        IRS-wide and in conjunction with other Federal, State, local, and relief agencies.\n    \xef\x82\xb7   Develop and maintain an effective working relationship with the Department of\n        Homeland Security, the Department of Defense, and other Federal agencies involved in\n        national security and emergency response issues.\nTo fulfill one of its primary responsibilities, the PSEP office has implemented a risk\nassessment program based on the Department of Homeland Security\xe2\x80\x99s Interagency\n\n\n\n1\n The 600-plus facilities include IRS employee-occupied facilities and other non-IRS occupied facilities such as\nprivately run childcare centers or credit unions sites, which typically house non-IRS personnel.\n                                                                                                            Page 1\n\x0c                                      The Physical Security Risk Assessment\n                                           Program Needs Improvement\n\n\n\nSecurity Committee (ISC) standards.2 Risk assessments evaluate both internal and\nexternal security risks and are conducted on a pre-established schedule depending on the\nassigned Facility Security Level (FSL) of the facility.3\nAccording to the guidance in the ISC standards, the first step in the risk assessment process\nentails determining the FSL of the facility. The PSEP office used the criteria in the ISC\nstandards for establishing the FSL, which involves analyzing various factors that make the\nfacility a target for adversarial acts as well as those that characterize the value or criticality of the\nfacility. These factors are input into a matrix of criteria and given a point value, and the total\npoint value determines the FSL of the facility.\nThe FSL of a facility ranges from one to five, with five being the highest level for security risk\nand one being the lowest level. For example, a facility designated as FSL V would require the\nmost security. Some of the factors considered in determining the FSL assessment include the\nnumber of employees occupying the facility and the square footages. Other factors which could\nraise the FSL could include intangible items such as symbolic significance or historical\nimportance of a facility.\nAs such, the PSEP office was tasked with identifying the total number of IRS-occupied buildings\nand conducting in-depth risk assessments at those facilities.4 A prior Treasury Inspector General\nfor Tax Administration review5 evaluated the contract between the IRS and the contractor to\nensure that the IRS received the deliverables from the contractor in accordance with the terms of\nthe contract.6 Based on the concerns raised during that review of the contract, we initiated this\nreview to assess the adequacy of the physical security assessments conducted at IRS facilities.\nFor this review, we judgmentally7 selected for review 10 IRS facilities from the 630 risk\nassessments conducted by the PSEP office. Our review included facilities with FSL II through\nFSL V levels and represented four of the 14 PSEP office Territories nationwide.8 Our analysis\nincluded site visitations to interview PSEP office staff (including the security specialist and the\nrespective Territory manager) and walkthroughs of each of the 10 facilities. The physical\nobservations during the walkthroughs and interviews with on-site PSEP office staff to discuss the\n\n\n2\n  The ISC established standards for security in and protection of Federal facilities. The ISC issued interim\nstandards, Physical Security Criteria for Federal Facilities \xe2\x80\x93 An Interagency Security Committee Standard (April\n12, 2010), that established a baseline set of physical security measures to be applied to all Federal facilities based on\ntheir designated Facility Security Level.\n3\n  See Appendix V for the FSL Determination Matrix used by the PSEP office.\n4\n  PSEP office management determined they would perform risk assessments only at IRS facilities with employees.\nThe PSEP office excluded some facilities such as parking lots, storage facilities, childcare centers, and credit unions.\n5\n  Treasury Inspector General for Tax Administration, Ref. No. 2012-10-075, An Independent Risk Assessment of\nFacility Physical Security Was Not Performed in Compliance With Contract Requirements (Jul. 2012).\n6\n  Physical Security Emergency Preparedness Risk Assessment contract (TIRNO-10-C-00041).\n7\n  A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n8\n  See Appendix VIII for a list of the 14 PSEP office Territories.\n                                                                                                                 Page 2\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\nrisk assessments they conducted in Calendar Year (CY)9 2010 provided us with a better\nunderstanding of the risk assessment process and helped to determine the status of the CY 2010\nfindings and recommendations. Our physical observations were not intended to replicate risk\nassessments performed during CY 2010.\nThis review was performed at the IRS National Headquarters in the Agency-Wide Shared\nServices function in Washington, D.C., during the period June 2012 through July 2013. Site\nvisits were also made to two offices in Denver, Colorado; one office in Golden, Colorado; three\noffices in Atlanta, Georgia; two offices in Memphis, Tennessee; one office in\nFalls Church, Virginia; and the IRS National Headquarters in Washington, D.C. We conducted\nthis performance audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objective. Detailed information on our audit objective,\nscope, and methodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n9\n    The 12-consecutive-month period ending on December 31.\n                                                                                           Page 3\n\x0c                                     The Physical Security Risk Assessment\n                                          Program Needs Improvement\n\n\n\n\n                                       Results of Review\n\nThe Physical Security and Emergency Preparedness Office\nCompleted 630 Risk Assessments, but Did Not Perform Risk\nAssessments on Additional Internal Revenue Service Facilities\nBy December 31, 2010, the PSEP office completed 630 risk assessments and met its requirement\nto provide a report summarizing the findings to the IRS Commissioner in January 2011.\nAlthough our review did not evaluate the accuracy or completeness of all 630 risk assessments,\nwe did find that the PSEP office completed all 630 risk assessments in the necessary six-month\nperiod. However, risk assessments were not completed at 14 facilities occupied by IRS\nemployees in CY 2010.10 In addition, the PSEP office did not complete risk assessments at\n49 other facilities that were not specifically occupied by IRS employees but were located in or\nadjacent to the facilities.\n\nRisk assessments were not performed at 14 facilities during CY 2010\nThe PSEP office did not conduct risk assessments on 14 facilities occupied by IRS employees.\nWhile PSEP office management did not explain why risk assessments were not performed at the\n14 facilities we identified, the PSEP office\xe2\x80\x99s method of tracking its inventory of facilities may\nhave contributed to the omission. The PSEP office compiles its inventory list by maintaining an\nExcel spreadsheet based on real estate data contained in the IRS\xe2\x80\x99s Graphic Database Interface\n(GDI).11 Because the Excel spreadsheet is a standalone document and not linked to the GDI, any\nchanges in a facility\xe2\x80\x99s status must be noted by the PSEP office employee and transferred to the\nspreadsheet manually. Therefore, if the PSEP office employee does not reconcile the changes\nbetween the GDI and the Excel spreadsheet, there may be errors and omissions in the inventory\nlist maintained by the PSEP office.\nAfter we informed it of the omission, the PSEP office performed risk assessments on five of the\n14 facilities that did not receive a risk assessment in CY 2010. Two of these five facilities were\ndesignated as FSL IV, and the remaining three facilities were designated as FSL II. For the\n\n10\n   See Appendix VI for a list of the 14 facilities, which consisted of four buildings associated with one campus and\n10 IRS office buildings. A campus is the data processing arm of the IRS. The campuses process paper and\nelectronic submissions, correct errors, and forward data to the Computing Centers for analysis and posting to\ntaxpayer accounts. Of these 14 facilities, nine have closed and five remain open. See Appendix VII for more\ninformation.\n11\n   The GDI is an automatic system that tracks the IRS real property portfolio including buildings, space, and\nservices. The GDI report is provided to the PSEP office by the Real Estate Facility Management group. PSEP\noffice management used the June 6, 2010, GDI report to estimate the number of buildings in inventory.\n                                                                                                              Page 4\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\nremaining nine facilities, PSEP office management stated that although these facilities were open\nduring CY 2010 and should have had risk assessments performed, they are now closed.12\nMaintaining an accurate inventory of IRS-occupied facilities is imperative for the PSEP office to\naccomplish its mission. If risk assessments are not done timely or if facilities are missed,\nsecurity vulnerabilities may not get addressed and IRS employees and Government assets could\nbe subject to increased risk.13 Approximately 4,408 IRS employees were located at the\n14 facilities we identified.14\n\nRisk assessments were not performed at 49 facilities, including credit unions,\nchildcare centers, storage facilities, and parking lots\nIn addition to the 14 facilities previously discussed, we identified 49 facilities that did not receive\na risk assessment in CY 2010. These 49 facilities, which included childcare centers, parking lots\nand garages, storage units, and a credit union, are not specifically occupied by IRS employees.\nThese facilities are used by IRS employees and are typically located either within or next to\nfacilities housing IRS employees. PSEP office management stated that the 49 facilities were\nexcluded because the Federal Protective Service (FPS)15 is responsible for the security at these\nfacilities. However, the PSEP office did not provide evidence that the 49 facilities received a\nrisk assessment from either the IRS or the FPS.\nThe PSEP office\xe2\x80\x99s Internal Revenue Manual16 does not address which types of facilities should\nreceive a risk assessment. However, during our audit, PSEP office management issued a\nStandard Operating Procedure dated August 7, 2012, which provides general information about\nthe types of facilities the PSEP office should review. The document states, \xe2\x80\x9crisk assessments are\nperformed at all IRS facilities, occupied by Federal employees and contractors and Day Care\ncenters.\xe2\x80\x9d Although the PSEP office recently issued procedures, there is limited information\nabout which types of facilities require a PSEP risk assessment. For example, we received\nconflicting information about childcare centers and storage facilities during interviews with\nPSEP office management. One PSEP manager stated that if a childcare center is located in a\nsingle-tenant building, the IRS (the PSEP office) would perform the risk assessment; however, if\nthe childcare center is located in a multitenant building, the FPS would perform the risk\nassessment. In another instance, a Territory manager stated that the PSEP office would perform\na risk assessment on an unoccupied storage facility if it contained grand jury records.\n\n\n\n12\n   See Appendix VII for more information.\n13\n   The ISC requires that buildings designated as FSLs III, IV, and V be evaluated on a three-year cycle, and\nbuildings designated as FSLs I and II be completed every five years. The FSL is developed based upon mission\ncriticality, symbolism, population, facility size, and threat to tenant agencies.\n14\n   See Appendices VI and VII for more information about these facilities.\n15\n   The FPS is an organization within the Department of Homeland Security.\n16\n   IRM 10.2.11 (Sep. 28, 2009).\n                                                                                                         Page 5\n\x0c                                 The Physical Security Risk Assessment\n                                      Program Needs Improvement\n\n\n\nPSEP office management stated that they do not have a documented policy or agreement with\nthe FPS regarding the risk assessment process. They also indicated that the FPS has\nresponsibility for the 49 facilities because they are leased by the General Services\nAdministration. However, PSEP office management also advised us that the General Services\nAdministration leases all IRS buildings because the IRS owns none of its facilities. PSEP office\nmanagement stated they have an excellent relationship with the FPS, but communications\nbetween the two organizations is a challenge.\nPSEP office management could not confirm whether the FPS conducted risk assessments at the\n49 facilities we identified. As a result, the safety of IRS employees and facilities could be\naffected because many of these 49 facilities are located adjacent to or in close proximity to IRS\nfacilities. In addition, the Standard Operating Procedure does not provide a clear explanation of\nthe types of facilities that require a risk assessment, so there is a risk that some facilities may be\nomitted from future risk assessments.\n\nRecommendations\nThe Director, PSEP, should:\nRecommendation 1: Develop a process to ensure that inventory records include all relevant\ninformation, such as the date facilities are open and closed as well as the dates risk assessments\nshould be performed.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, Agency-Wide Shared Services, implemented a process to ensure that PSEP\n       inventory records include all relevant information, such as the date facilities are opened\n       and closed as well as the dates risk assessments should be performed. The PSEP staff\n       uses monthly reports from the GDI Building Directory and the Joint Information\n       Management Site Consolidated Report to maintain an accurate building inventory and to\n       calculate the due dates for risk assessments.\nRecommendation 2: Work with the FPS to ensure that the IRS receives copies of FPS risk\nassessments performed at IRS facilities and a schedule of when the FPS plans to perform future\nrisk assessments of IRS facilities.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, will request from the FPS National Director, copies of all FPS risk assessments of\n       space in IRS inventory and a schedule of when the FPS plans to perform future risk\n       assessments.\nRecommendation 3: Update the policies for the risk assessment program to distinguish\nwhich facilities, such as childcare centers, parking lots, and storage facilities, require an FPS\nrisk assessment and which ones, such as IRS employee-occupied facilities, require a PSEP\noffice risk assessment.\n\n                                                                                                Page 6\n\x0c                               The Physical Security Risk Assessment\n                                    Program Needs Improvement\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Director, PSEP, will update Physical Security Internal Revenue Manual 10.2.11, Basic\n       Security Concepts, and Standard Operating Procedures 021 (a), Risk Assessments, to\n       distinguish which risk assessments are the responsibility of the FPS and which risk\n       assessments are the responsibility of the PSEP office.\n\nRisk Assessment Findings Were Not Consistently Acted Upon, and\nAdditional Vulnerabilities Were Identified During Site Visits\nThe risk assessment project completed in CY 2010 included numerous findings related to\nadditional security countermeasures needed at IRS facilities. However, some findings were not\nacted upon. Specifically, we found that the process to implement the security countermeasures\ndid not consistently follow the established prioritization schedule, and some countermeasures\nwere not implemented, which the IRS attributed in part to resource constraints. In addition,\nduring our site visits, we identified security weaknesses that were not addressed through the risk\nassessment process and that records on prior risk assessments were not always retained.\n\nThe PSEP office did not consistently follow up on risk assessment findings\nAlthough PSEP office management developed a prioritization schedule to roll out the security\ncountermeasures, we found they sometimes implemented lower priority countermeasures before\nother higher priority actions. The prioritization schedule was intended to phase in the large\nvolume of countermeasures based on criticality, over a period of time, as funding became\navailable. PSEP office management made a decision to address \xe2\x80\x9clow-hanging fruit\xe2\x80\x9d if a lower\npriority countermeasure, such as posting signs advising of video surveillance, was low cost and\ncould be easily implemented. However, by diverting attention from higher priority\ncountermeasures to lower, less critical countermeasures, critical vulnerabilities may not have\nbeen addressed timely.\nWe also found that PSEP office management made a decision to not implement blast mitigation\nat approximately 191 facilities that were identified through the CY 2010 risk assessment project.\nBlast mitigation countermeasures generally refer to specially designed window systems to\nmitigate the hazards from glass and flying debris. These countermeasures vary by the FSL of a\nfacility, but are required by ISC standards for FSL II through V facilities. PSEP office\nmanagement explained that the costs associated with updating numerous IRS facilities with\nneeded blast mitigation measures were prohibitive and impractical; management had decided to\naccept the risk of not implementing this countermeasure. However, we believe blast mitigation\nshould have been considered on a case-by-case basis because some IRS facilities may be more\nvulnerable than others. For example, a single-story building where parking is allowed adjacent\nto the building could be at greater risk than an IRS space that is located on a higher floor of a\nbuilding and further removed from parked vehicles.\n\n\n                                                                                            Page 7\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\nFinally, as of May 2013, some Taxpayer Assistance Centers (TAC)17 still lacked additional\nguards and other countermeasures, although these vulnerabilities were identified in the CY 2010\nrisk assessments. On November 8, 2010, PSEP office management reported that a decision was\nmade to maintain a permanent guard presence at all TACs as a result of the risk assessment\nproject and, according to PSEP records, each TAC has at least one guard present at each\nlocation.18 However, risk assessments performed at TACs across the country identified that\nsome TACs need additional guard presence and other countermeasures such as x-ray machines to\ncomply with the ISC standards. During our audit, we found that at least four TACs do not\ncurrently have the additional guard or x-ray machine recommended by the risk assessments.\nPSEP office management stated that this information is not tracked on a national level and thus\ncould not provide information on how many TACs nationally have increased vulnerability\nbecause additional guards and other countermeasures are not in place.\nThe ISC standards require that certain facilities maintain a guard presence and that the risk\nassessment determines the need for security guard presence. Despite the apparent critical nature\nof this countermeasure, PSEP office management categorized guard deployment as the lowest\npriority level for implementation. PSEP office management also stated that they were unable to\nplace additional guards at all of the offices that need them because of budget constraints.\nBecause IRS employees at the TACs are engaged in face-to-face contact with taxpayers daily,\nthere is an ongoing risk that they may come into contact with individuals who pose a physical\nthreat to them or the facility. Having all the required countermeasures at these offices is critical\nto ensuring the safety of IRS employees and members of the public who visit IRS offices.\n\nSite visits identified additional unaddressed security vulnerabilities\nDuring our site visits to 10 IRS facilities, we identified security vulnerabilities at two locations\nthat PSEP office management was unaware of until the audit team brought it to their attention.\nAt one location, the CY 2010 risk assessment did not disclose a security vulnerability related to a\nchildcare center located within an IRS facility. At another location, local management did not\nimplement the security countermeasures recommended by the PSEP office.\n\n\n\n\n17\n   A TAC is an IRS office with employees who answer questions, provide assistance, and resolve account issues for\ntaxpayers face to face.\n18\n   The Agency-Wide Shared Services Business Performance Review. The Business Performance Review process is\nconducted quarterly for each operating division. During these reviews, division commissioners and chiefs discuss\ntheir progress on meeting their performance targets or goals and new or emerging issues that may affect major\nprograms and performance.\n                                                                                                          Page 8\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\nAt one location we visited, the risk assessment failed to disclose that visitors to a childcare center\ndid not receive the appropriate security screening.19 This specific childcare center is located\ninside of the IRS building, but visitors enter the childcare center space through a separate\nreception area where there is no physical security screening. Additionally, childcare center\nvisitors are allowed to enter the overall campus grounds with their vehicle if the childcare center\nhas provided their name to the guard on duty at the entrance.\nFor this childcare center, we observed that FPS guards do not screen visitors, and we were\ninformed that PSEP office management are unaware of what screening procedures are used by\nthe childcare center. The IRS facility the childcare center is located in is unique because it\nhouses critical IRS infrastructure and is designated as a combined FSL IV and V. Because of the\nsignificance of this facility, ISC standards20 require that all visitors be screened by an armed FPS\nguard, be screened via a magnetometer, and be submitted to x-raying of personal items. In\ncontrast, we visited two other FSL IV buildings that house childcare centers and observed that\nthey screened visitors as required by ISC standards.\nPSEP office staff explained that the childcare center at this facility is operated by a private\ncompany that leases the space directly from the General Services Administration. According to\nPSEP office management, the General Services Administration made a decision to lease the\nchildcare center space to a private company. In addition, after being advised of the situation on\nDecember 3, 2012, PSEP office management stated that they believed appropriate screening\nmeasures were in place at this facility but did not provide any documentation to confirm that\nvisitors to the childcare center space are screened by the FPS. We subsequently revisited the\nchildcare center on December 18, 2012, and confirmed that visitors still enter the childcare\ncenter without being screened by the FPS. Because the general public is allowed access to the\nIRS grounds and facility and come in close proximity to IRS operations, appropriate security\nmeasures should be in place to ensure the safety of the approximately 2,626 IRS employees as\nwell as visitors at this facility.\nAt another location we visited, the countermeasures recommended by PSEP office staff were not\nimplemented, although they were funded and provided to the facility. During our site visit to this\nFSL III facility, we found that the local manager of the TAC had not implemented the\ncountermeasures that the PSEP office security staff recommended after the CY 2010 risk\nassessment review. The risk assessment recommended that the office space be reconfigured (by\nmoving a wall between the waiting area and the entrance to the office) to allow the armed FPS\nsecurity guard to see visitors entering the facility and those seated in the waiting room.\n\n19\n   The ISC standard requires that the screening consists of having the individual go through the magnetometer or be\nscreened with a handheld magnetometer wand as well as screening all bags and packages that the person has in his\nor her possession. A magnetometer is a form of electronic screening and may be a device persons walk through or a\nhandheld device.\n20\n   Department of Homeland Security, FSL Determinations for Federal Facilities, An Interagency Security\nCommittee Standard (March 2008).\n                                                                                                            Page 9\n\x0c                                      The Physical Security Risk Assessment\n                                           Program Needs Improvement\n\n\n\nAdditionally, a handheld magnetometer wand was recommended so that the guard could screen\nthe visitors as required by the ISC standards for an FSL III facility.\nThe TAC manager told us that he initially reconfigured the office and removed the wall in\naccordance with the risk assessment recommendation. However, he did not like the office\nreconfiguration or having to use the handheld magnetometer wand to screen visitors. Without\ninforming the PSEP office, the TAC manager stopped using the magnetometer wand and\nreconfigured the office back to the way it was before the risk assessment. The security specialist\nresponsible for this facility stated that she was very familiar with the facility and was surprised\nthat the countermeasures were not implemented by the TAC manager. The security specialist\nalso stated that there is no mechanism in place to follow up on recommended countermeasures\nresulting from the risk assessments. A follow-up visit to the TAC in April 2013 found that this\ncondition had not been addressed. The ongoing vulnerability continues to expose IRS employees\nand taxpayers because critical countermeasures are not in place.\n\nRisk assessments prior to CY 2010 were not maintained at sites visited\nFor eight of the 10 sites we visited, PSEP office management did not provide us with risk\nassessments that were conducted prior to CY 2010 because records were not retained. PSEP\noffice management also could not provide us with the dates risk assessments were performed at\nthose locations prior to CY 2010. Consequently, we could not determine how long security\nvulnerabilities identified in CY 2010 had existed for these locations. The ISC standards require\nthat risk assessments be performed every five years for facilities designated as FSL I and FSL II\nand every three years for facilities designated as FSLs III, IV, and V. However, PSEP office\nmanagement stated that their policy is to retain risk assessment records for only three years or\nuntil discontinuance of the facility (whichever is sooner).21 Therefore, records from prior risk\nassessments may not be available for security personnel to review when upcoming risk\nassessments are scheduled for FSL I and FSL II facilities.\nWithout access to prior risk assessment documentation, the program lacks transparency and the\nPSEP office cannot provide assurance that the required risk assessments are performed timely or\nthat security vulnerabilities raised in the past have been mitigated or resolved.\n\nRecommendations\nThe Director, PSEP, should:\nRecommendation 4: Follow the prioritization schedule developed by PSEP office\nmanagement to implement the recommendations from the CY 2010 risk assessments and ensure\nthat the most critical security vulnerabilities are addressed as funding becomes available.\n\n\n21\n     Internal Revenue Manual 1.15.20 (Oct. 19, 2010).\n                                                                                           Page 10\n\x0c                               The Physical Security Risk Assessment\n                                    Program Needs Improvement\n\n\n\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, will follow the prioritization schedule to implement the recommendations from the\n       CY 2010 risk assessments. As funding becomes available, the most critical security\n       vulnerabilities will be addressed.\nRecommendation 5: Develop a process to ensure that required countermeasures are in place\nand functioning as required at all TACs.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, will develop a process to ensure that required countermeasures are in place and\n       functioning as required at all TACs.\nRecommendation 6: Implement appropriate security protocols at the facility with the\nchildcare center to ensure that all visitors entering the campus grounds and the building are\nscreened according to ISC standards.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, will ensure that language is included in Physical Security Internal Revenue\n       Manual 10.2.11, Basic Security Concepts, that clarifies the requirement to ensure that\n       visitors entering the campus grounds and the building are screened according to ISC\n       standards before entering the childcare center.\nRecommendation 7: Ensure that risk assessment documents are retained long enough so they\nwill be available when future risk assessments are conducted.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The Director,\n       PSEP, will ensure that the Standard Operating Procedures 021(a), Risk Assessments, is\n       updated to include the requirement that risk assessments are to be maintained until a new\n       risk assessment is completed.\n\n\n\n\n                                                                                            Page 11\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\n                                                                                                 Appendix I\n\n          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether physical security risk assessments\nwere conducted as required at all IRS facilities. Our review focused on the risk assessments\nconducted by the PSEP office in CY 2010, which addressed the IRS Commissioner\xe2\x80\x99s\nrequirement to conduct risk assessments at all IRS-occupied facilities and identify measures\nneeded to improve employee safety. To accomplish our objective, we:\nI.      Determined the process used by the IRS to conduct physical security risk assessments of\n        its facilities in CY 2010.\n        A. Interviewed PSEP office management to gain an understanding of the procedures\n           used to conduct the physical security risk assessments.\n        B. Identified the policy, guidelines, etc., used by the IRS for conducting the physical\n           security risk assessments.\n        C. Requested a list of all IRS facilities as of December 31, 2010, the endpoint of the risk\n           assessment project.\nII      Determined if physical security risk assessments were performed in CY 2010 for all IRS\n        facilities.\n        A. Obtained all physical security risk assessments conducted by the IRS in CY 2010 and\n           confirmed whether a physical security risk assessment was performed for every IRS\n           facility as required.\n        B. Obtained June 2010 reports from the Treasury Integrated Management Information\n           System1 and the GDI to identify all occupied facilities.\n        C. Compared the list of IRS facilities with the physical security risk assessments\n           conducted in CY 2010.\nIII.    Assessed the process followed by IRS personnel when performing physical security risk\n        assessments in CY 2010.\n\n\n\n\n1\n  Treasury Integrated Management Information System supports payroll and personnel processing and reporting\nrequirements for the IRS. The system contains data for IRS employees including job series, grade, and location.\nThis system is currently operated by the U.S. Department of Agriculture at their National Finance Center in\nNew Orleans, Louisiana, which is a third party to the IRS.\n                                                                                                          Page 12\n\x0c                                        The Physical Security Risk Assessment\n                                             Program Needs Improvement\n\n\n\n           A. Selected a judgmental sample2 of 10 facilities to review based on the FSL of the\n              facility, the geographic location, and the type of facility. A judgmental sample of\n              10 facilities of the more than 600 facilities was selected due to resource constraints\n              associated with physical travel to the various locations.\n           B. Performed a site visitation to the 10 facilities selected in our sample.\n                1. Determined whether any of the vulnerabilities identified during the physical\n                   security risk assessments still exist.\n                2. Interviewed IRS personnel who performed the physical security risk assessments\n                   to obtain their feedback on the assessment process and whether they are aware of\n                   any unreported vulnerabilities that were in existence at the time of the CY 2010\n                   assessments.\n           C. Determined how the recommendations and findings in the physical security risk\n              assessments were addressed, implemented, or mitigated.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: policies and procedures guiding the risk\nassessment process, PSEP office staff qualifications and training, and management oversight.\nWe evaluated these controls by interviewing IRS management, reviewing a sample of risk\nassessments performed in CY 2010, and reviewing applicable documentation, including the\npertinent ISC standards to support the program.\n\n\n\n\n2\n    A judgmental sample is a nonstatistical sample, the results of which cannot be used to project to the population.\n                                                                                                                Page 13\n\x0c                             The Physical Security Risk Assessment\n                                  Program Needs Improvement\n\n\n\n                                                                            Appendix II\n\n                Major Contributors to This Report\n\nGregory D. Kutz, Assistant Inspector General for Audit (Management Services and Exempt\nOrganizations)\nJeffrey M. Jones, Director\nJonathan T. Meyer, Director\nJanice M. Pryor, Audit Manager\nYasmin B. Ryan, Lead Auditor\nAllen L. Brooks, Senior Auditor\nMichele N. Strong, Senior Auditor\n\n\n\n\n                                                                                    Page 14\n\x0c                            The Physical Security Risk Assessment\n                                 Program Needs Improvement\n\n\n\n                                                                    Appendix III\n\n                        Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Chief Financial Officer OS:CFO\nDirector, Physical Security and Emergency Preparedness OS:A:PSEP\nDirector, Risk Management Operations and Policy OS:A:PSEP\nDirector, Security Standards and Enhancements OS:A:PSEP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Chief, Agency-Wide Shared Services OS:A\n\n\n\n\n                                                                          Page 15\n\x0c                               The Physical Security Risk Assessment\n                                    Program Needs Improvement\n\n\n\n                                                                                 Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective actions will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\n\xef\x82\xb7   Protection of Resources \xe2\x80\x93 Potential; five facilities were potentially at risk for having\n    inadequate physical security or security protocols that were not in compliance with ISC\n    standards. Approximately 248 IRS employees were potentially affected in those five\n    facilities (see page 4).\n\nMethodology Used to Measure the Reported Benefit:\nWe compared PSEP office inventory lists of IRS-occupied buildings to the June 2010 GDI\nreports to determine if any facilities were omitted from the CY 2010 risk assessment project.\nWe found that the IRS did not conduct risk assessments at these five buildings, housing 248 IRS\nemployees, which are currently open. We traced the five buildings to the June 2010 GDI report\nto confirm the number of employees at each location.\nTo determine if any buildings were omitted, we compared both the June 2010 GDI report and the\nJune 2010 Treasury Integrated Management Information System report against the IRS\xe2\x80\x99s list to\nreceive a risk assessment, but risk assessments were not completed.\n\n\n\n\n                                                                                          Page 16\n\x0c                                   The Physical Security Risk Assessment\n                                        Program Needs Improvement\n\n\n\n                                                                                   Appendix V\n\n     Facility Security Level Determination Matrix\n\n           Factor                                          Points\n                                  1 point       2 points       3 points          4 points\n\nMission Criticality                Low          Medium           High           Very High\n\nSymbolism                          Low          Medium           High           Very High\n\nFacility Population                <100        101\xe2\x80\x93250         251\xe2\x80\x93750             >750\n\nFacility Size                                   10,000\xe2\x80\x93        100,001\xe2\x80\x93\n                                  <10,000                                       >250,000\n(Square Footage)                                100,000         250,000\n\nThreat to Tenant Agencies          Low          Medium           High           Very High\n\nIntangible Factors                  \xe2\x80\x94             \xe2\x80\x94                 \xe2\x80\x94               \xe2\x80\x94\n\n     Total Score                    \xe2\x80\x94             \xe2\x80\x94                 \xe2\x80\x94               \xe2\x80\x94\nSource: PSEP office management.\n\nNote: The FSL may be raised or lowered one level at the discretion of the Agency Designated\nOfficial based on intangible factors. However, the intangible factor should not be used to raise\nor lower the FSL in response to a particular threat act.\n\n   Scoring                              Total Points to Determine the FSL\n\nLevel I                5\xe2\x80\x937 Points\nLevel II               8\xe2\x80\x9312 Points\nLevel III              13\xe2\x80\x9317 Points\nLevel IV               18\xe2\x80\x9320 Points\nLevel V           The criteria and decisionmaking authority for identifying\n                  Level V facilities are within the purview of the individual agency.\nSource: PSEP office management.\n\n\n                                                                                            Page 17\n\x0c                             The Physical Security Risk Assessment\n                                  Program Needs Improvement\n\n\n\n                                                                                     Appendix VI\n\n  Fourteen Internal Revenue Service Buildings\n    That Did Not Receive a Risk Assessment\n             in Calendar Year 2010\n\n                                                                                 Number of\n   Building                                                     Type of\n                    FSL               City, State                                  IRS\n   Number                                                       Property\n                                                                                 Employees\n   AK0029            IV       Fairbanks, Alaska                 IRS Office               6\n\n   CA6000            II       San Francisco, California         IRS Office            179\n   CA8072        Unknown      Santa Cruz, California            IRS Office             10\n   CT0059            IV       Bridgeport, Connecticut           IRS Office             54\n\n   DE0017            II       Dover, Delaware                   IRS Office             10\n   FL2046            II       Deerfield Beach, Florida          IRS Office            104\n   KY3048            II       Florence, Kentucky                IRS Office             19\n\n                              Clinton Township,\n    MI1942           II                                         IRS Office             50\n                              Michigan\n                              Philadelphia,\n   PA0462            IV                                          Campus             1,713\n                              Pennsylvania\n   PA0719            II       Bethlehem, Pennsylvania           IRS Office             34\n\n                              Philadelphia,\n   PA0727            IV                                          Campus               479\n                              Pennsylvania\n                              Philadelphia,\n   PA0739            III                                         Campus               222\n                              Pennsylvania\n                              Philadelphia,\n   PA6520            IV                                          Campus             1,520\n                              Pennsylvania\n   TX2353            II       Bryan, Texas                      IRS Office               8\n\n Total IRS Employees Stationed at the 14 Buildings in CY 2010                       4,408\nSource: Treasury Inspector General for Tax Administration review of the June 2010 GDI report.\n\n\n\n\n                                                                                                Page 18\n\x0c                                    The Physical Security Risk Assessment\n                                         Program Needs Improvement\n\n\n\n                                                                                          Appendix VII\n\n     Status of 14 Internal Revenue Service Buildings\n     That Did Not Receive Timely Risk Assessments\n\n                                            Was a Risk        Was a Risk\n                                           Assessment        Assessment                             Date\n  Building                                 Completed in       Completed         Date of Risk       Building\n  Number              City, State            CY 2010         After CY 2010      Assessment         Closed\n  AK0029        Fairbanks, Alaska                No                Yes           10/18/2012            \xe2\x80\x94\n                San Francisco,\n  CA6000                                         No                No                 \xe2\x80\x94            8/31/2011\n                California\n  CA8072        Santa Cruz, California           No                No                 \xe2\x80\x94            5/31/2012\n                Bridgeport,\n  CT0059                                         No                Yes           11/12/2012            \xe2\x80\x94\n                Connecticut\n  DE0017        Dover, Delaware                  No                No                 \xe2\x80\x94           11/30/2011\n                Deerfield Beach,\n   FL2046                                        No                Yes            9/28/2012            \xe2\x80\x94\n                Florida\n  KY3048        Florence, Kentucky               No                No                 \xe2\x80\x94           11/30/2011\n                Clinton Township,\n   MI1942                                        No                Yes            3/05/2012            \xe2\x80\x94\n                Michigan\n                Philadelphia,\n  PA0462                                         No                No                 \xe2\x80\x94            4/30/2011\n                Pennsylvania\n                Bethlehem,\n  PA0719                                         No                Yes            6/15/2012            \xe2\x80\x94\n                Pennsylvania\n                Philadelphia,\n  PA0727                                         No                No                 \xe2\x80\x94            4/30/2011\n                Pennsylvania\n                Philadelphia,\n  PA0739                                         No                No                 \xe2\x80\x94            4/30/2011\n                Pennsylvania\n                Philadelphia,\n  PA6520                                         No                No                 \xe2\x80\x94            4/30/2011\n                Pennsylvania\n  TX2353        Bryan, Texas                     No                No                 \xe2\x80\x94            9/30/2011\n\nBuildings That Closed After CY 2010 and Did Not Receive a Risk Assessment                 9\n\nBuildings That Received a Risk Assessment After CY 2010                                   5\nSource: Treasury Inspector General for Tax Administration review of the June 2010 GDI report and the June 2010\nTreasury Integrated Management Information System report.\n\n                                                                                                      Page 19\n\x0c                The Physical Security Risk Assessment\n                     Program Needs Improvement\n\n\n\n                                                           Appendix VIII\n\n     Fourteen Physical Security and\nEmergency Preparedness Office Territories\n\n     Territory                            State/Location\n                                  Connecticut\n                                  Maine\n                                  Massachusetts\n     Andover                      New Hampshire\n                                  Rhode Island\n                                  Vermont\n                                  Alabama\n     Atlanta                      Florida\n                                  Georgia\n\n      Austin                      Texas\n\n    Brookhaven                    New York\n                                  Kentucky\n    Covington                     Ohio\n                                  Illinois\n                                  Indiana\n      Detroit                     Michigan\n                                  Wisconsin\n                                  Alaska\n                                  California (Fresno, Tulare, and Visalia)\n                                  Idaho\n      Fresno                      Nevada\n                                  Oregon\n                                  Washington\n\n\n\n\n                                                                       Page 20\n\x0c                              The Physical Security Risk Assessment\n                                   Program Needs Improvement\n\n\n\n\n                 Territory                             State/Location\n                                                Iowa\n                                                Kansas\n                                                Minnesota\n                                                Missouri\n               Kansas City\n                                                Nebraska\n                                                North Dakota\n                                                Oklahoma\n                                                South Dakota\n                                                North Carolina\n                                                Puerto Rico\n                                                South Carolina\n              Martinsburg\n                                                United States Virgin Islands\n                                                Virginia\n                                                West Virginia\n                                                Arkansas\n                                                Louisiana\n                 Memphis\n                                                Mississippi\n                                                Tennessee\n                                                Delaware\n            National Capital\n                                                Maryland\n                                                California (Rest of the State)\n                 Oakland\n                                                Hawaii\n                                                Arizona\n                                                Colorado\n                                                Montana\n                   Ogden\n                                                New Mexico\n                                                Utah\n                                                Wyoming\n                                                Pennsylvania\n               Philadelphia\n                                                New Jersey\nSource: PSEP office website, March 2013.\n\n                                                                                 Page 21\n\x0c           The Physical Security Risk Assessment\n                Program Needs Improvement\n\n\n\n                                               Appendix IX\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                     Page 22\n\x0cThe Physical Security Risk Assessment\n     Program Needs Improvement\n\n\n\n\n                                        Page 23\n\x0cThe Physical Security Risk Assessment\n     Program Needs Improvement\n\n\n\n\n                                        Page 24\n\x0cThe Physical Security Risk Assessment\n     Program Needs Improvement\n\n\n\n\n                                        Page 25\n\x0cThe Physical Security Risk Assessment\n     Program Needs Improvement\n\n\n\n\n                                        Page 26\n\x0c'